APPARATUS AND METHOD FOR DETECTING NETWORK ATTACK BASED ON VISUAL DATA ANALYSIS

US 20110016525A1
Filed: 12/03/2009
Published: 01/20/2011
Est. Priority Date: 07/29/2009
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus for detecting a network attack, comprising:

a traffic image generator for generating a traffic image using traffic information and additional IP information extracted from the traffic information;

a network attack detector for comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack;

a network attack analyzer for analyzing the traffic image at a time when the network attack is detected to detect network attack information and pattern information of the network attack; and

a representation unit for visualizing the network attack information and the pattern information of the network attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus for detecting a network attack includes a traffic image generator for generating a traffic image using traffic information and additional IP information extracted from the traffic information; a network attack detector for comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack; and a network attack analyzer for analyzing the traffic image at a time when the network attack is detected to detect network attack information and pattern information of the network attack. A representation unit for visualizing the network attack information and the pattern information of the network attack.

36 Citations

View as Search Results

20 Claims

1. An apparatus for detecting a network attack, comprising:
- a traffic image generator for generating a traffic image using traffic information and additional IP information extracted from the traffic information;
  
  a network attack detector for comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack;
  
  a network attack analyzer for analyzing the traffic image at a time when the network attack is detected to detect network attack information and pattern information of the network attack; and
  
  a representation unit for visualizing the network attack information and the pattern information of the network attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 15)
- - 2. The apparatus of claim 1, wherein the traffic image generator includes:
    - a traffic information collector for collecting the traffic information;
      
      an IP address extractor for extracting additional IP information for the traffic information, wherein the additional IP information includes a source IP, destination IP and statistics; and
      
      an image generator for mapping destination and source information to vertical and horizontal axes, respectively, to thereby generate the traffic image, wherein a pixel in the traffic image represents a traffic flow from the source IP to the destination IP.
  - 3. The apparatus of claim 2, wherein each of the source IP and destination IP includes country, autonomous system (AS), company, Internet service provider (ISP), latitude, longitude, and management domain, to which an IP address belongs.
  - 4. The apparatus of claim 2, wherein the traffic image is generated in synchronized with a cycle T during which the traffic information is collected.
  - 5. The apparatus of claim 2, wherein a color of the pixel represents the statistics of the traffic flow from the source IP to the destination IP.
  - 6. The apparatus of claim 1, wherein the network attack detector includes:
    - an attack detector for comparing a similarity between the traffic image and the previously generated traffic image to decide the presence of the network attack if a similarity difference exceeds the predetermined similarity threshold; and
      
      a traffic image manager for providing a detection result indicating the presence of the network attack to the network attack analyzer.
  - 7. The apparatus of claim 6, wherein the similarity comparison is performed by a scene change detection technique using the change in pixel color or between discrete cosine transform (DCT) variables.
  - 8. The apparatus of claim 3, wherein the network attack analyzer includes:
    - a network attack analysis administrator for making a request for analysis of the network attack depending on whether the network attack is a global attack or a local attack, and generating the network attack information and the pattern information of the network attack based on a network attack analysis result received in response to the request;
      
      a global attack detector for analyzing the traffic between the source IP and the destination IP in the traffic image, and the distribution of the source and destination IPs in the traffic image to identify a kind of the network attack; and
      
      a local attack detector for analyzing traffic volume for each host and port in the traffic image to identify a kind of the network attack.
  - 9. The apparatus of claim 8, wherein the image processing technique is one of an image segmentation technique, a connected component labeling technique, and an edge detection technique.
  - 10. The apparatus of claim 1, wherein the representation unit includes:
    - a result representation part for constructing a map of attack detection results by combining the network attack information and the pattern information of the network attack.
  - 11. The apparatus of claim 10, wherein the map of attack detection results is comprised of network attack detection list, similarity between the traffic images, an original traffic flow, a traffic image, an image for host analysis and an image for port analysis.
  - 15. The apparatus of claim 10, wherein the traffic image is generated in synchronized with a cycle T during which the traffic information is collected.

12. A method for detecting a network attack, comprising:
- generating a traffic image using traffic information and additional IP information extracted from the traffic information;
  
  comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack;
  
  analyzing the traffic image to detect network attack information and pattern information of the network attack; and
  
  visualizing the network attack information and the pattern information of the network attack.
- View Dependent Claims (13, 14, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, wherein said collecting traffic information includes:
    - collecting the traffic information;
      
      extracting the additional IP information for the traffic information, wherein the additional IP information includes source IP, destination IP and statistics; and
      
      mapping destination and source information to vertical and horizontal axes, respectively, to thereby generate the traffic image, wherein a pixel in the traffic image represents a traffic flow from the source IP to the destination IP.
  - 14. The method of claim 13, wherein each of the source IP and destination IP includes country, autonomous system (AS), company, internet service provider (ISP), latitude, longitude, and management domain, to which an IP address belongs.
  - 16. The method of claim 13, wherein a color of the pixel represents the statistics of the traffic flow from the source IP to the destination IP.
  - 17. The method of claim 12, wherein said analyzing the traffic image includes:
    - comparing a similarity between the traffic image and the previously generated traffic image;
      
      if a similarity difference exceeds the predetermined similarity threshold, deciding the presence of the network attack; and
      
      if there exists the network attack, generating a detection result indicating the presence of the network attack.
  - 18. The method of claim 16, wherein the similarity comparison is performed by a scene change detection technique using the change in pixel color or between discrete cosine transform (DCT) variables.
  - 19. The method of claim 12, further comprising:
    - determining whether the network attack is a global attack or a local attack in accordance with the detection result of the presence of the network attack,wherein said analyzing the traffic image includes;
      
      if the network attack is a local attack, analyzing the traffic between the source IP and the destination IP in the traffic image, and the distribution of the source and destination IPs in the traffic image to identify a kind of the network attack; and
      
      if the network attack is a global attack, analyzing traffic volume for each host and port in the traffic image to identify a kind of the network attack.
  - 20. The method of claim 12, wherein said visualizing the network attack information and pattern information includes:
    - constructing a map of attack detection results, which is obtained by combining the network attack information and the pattern information of the network attack, and displaying the list of attack detection results on a display device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Kim, Jonghyun, Na, Jung-Chan, Kim, Geon Lyang, Chang, Beom-Hwan, Cho, Hyun sook, Ryu, Johg Ho, Sohn, Seon-Gyoung, Jeong, Chi Yoon

Application Number

US12/630,672
Publication Number

US 20110016525A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

APPARATUS AND METHOD FOR DETECTING NETWORK ATTACK BASED ON VISUAL DATA ANALYSIS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

APPARATUS AND METHOD FOR DETECTING NETWORK ATTACK BASED ON VISUAL DATA ANALYSIS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links